I'm back to thinking about CSRF: why is it useful for sites to be able to embed resources (like <img src="othersite.com/whatever.jpg">) and for the browser to send the user's cookies to the third-party site?
There's "ads" and "tracking" obviously but I feel like there's another actually-useful-to-users reason I'm not thinking of
@b0rk I always thought it was just people mapping domains to servers (pre-LB), pointing directly to files on self-managed but perhaps authenticated services.
Like documents.example.com may hold the corporate PDFs and require authentication to reach, but the site is navigated at www.example.com.
Before CSPs it was all or nothing, right? Not sure it's a good reason, but I recalm hearing of these single-URL-pr-server setups as a reason to use subdomains even.
Julia Evans
Niels Abildgaard